Enabling Intel TXT on Dell PowerEdge Servers with VMware ESXi

TechCenter

DellTechCenter.com is a community for IT professionals that focuses on Data Center and End User Computing best practices. Here you can learn about and share knowledge about Dell products and solutions.

Enabling Intel TXT on Dell PowerEdge Servers with VMware ESXi

Intel TXT (Trusted Execution Technology) is a hardware security solution that protects IT infrastructures against software based attacks by validating the behavior of key components with in a server during startup. For VMware ESXi, each time it boots, it measures the vmkernel and subset of modules (VIBs) and stores the measurements into the Platform Configuration Register (PCR) 20 of the TPM (Trusted Platform Module). In a net-shell, if Intel TXT is enabled, VMware ESXi is booted in secure mode and ensures integrity of vmkernel & other components. Intel TXT support for VMware ESXi starts from VMware ESXi 4.1 Update1 onwards. This feature is not supported for VMware ESX classic edition.

For VMware ESXi 4.x, TXT is disabled by default and need to be enabled manually.

For VMware ESXi 5.0, TXT is enabled by default and doesn’t require any manual settings from VMware ESXi perspective.

There is a change in behavior for trusted boot with respect to VMware ESXi versions, if the server fails to meet pre-requisites for VMware ESXi trusted boot.

For VMware ESXi 5.x, if pre-requisites are not met, the kernel doesn’t boot in a measured environment. It automatically falls back into the normal mode and continue booting.

For VMware ESXi 4.x, if pre-requisites are not met and TXT is enabled from VMware ESXi manually, the bootup fails and system goes for a reset continuously. This behavior is changed in 4.1 Update2 and exhibits behavior similar to ESXi 5.0.